[Owasp-board] [Vote Requested] Loss from AppSec Asia

Michael Coates michael.coates at owasp.org
Wed Dec 21 17:12:54 UTC 2011


Board Vote requested to pay $5500 to cover a portion of the AppSec Asia losses. 


Further actions (not part of this vote) - We'll work with conference committee to shore up the contracts and avoid this situation in the future. An item to discuss in January's call.


Michael Coates
OWASP



Begin forwarded message:

> From: Michael Coates <michael.coates at owasp.org>
> Date: December 15, 2011 6:08:25 PM PST
> To: Sarah Baso <sarah.baso at owasp.org>
> Cc: Kate Hartmann <kate.hartmann at owasp.org>, Tin Zaw <tin.zaw at owasp.org>, Mark Bristow <mark.bristow at owasp.org>, alison mcnamee <alison.shrader at owasp.org>, MattTesauro Tesauro <mtesauro at gmail.com>, OWASP Foundation Board List <owasp-board at lists.owasp.org>, Lucas Ferreira <lucas.ferreira at owasp.org>, global_conference_committee <global_conference_committee at lists.owasp.org>
> Subject: Re: [Owasp-board] [Global_conference_committee] Loss from AppSec Asia
> 
> Sarah,
> 
> Thanks for this summary.  I've reread the threads on this issue and also Sarah's summary below.  
> 
> Here is where I am sitting on this issue:
> 
> - OWASP was made aware of this event and signed off on it as an official owasp event
> - Per Lucas Ferreira's email (forwarded by Sarah on 12/7/11) OWASP did enter into a relationship with SecZone
> - We had some controls in place to require visibility into expenses. These controls failed since we did not receive requested documentation
> - The total loss is at $16,166.22 
> -- DBAppSecurity will cover $4742
> -- SecZone will cover $6,000
> -- This leaves $5,500
> 
> I believe we should cover a share of this loss ($5500) and also look at the $5,500 as an investment in the China region.  We have tremendous growth opportunities in the AsiaPac region and hopefully we can help this OWASP region get on its feet for self funding events too.
>  
> 
> Moving forward:
> Mark suggested several items to refine our policies to help prevent future situations such as this.  Lucas as pointed out that we need to be more effective in reacting when our intermediate checkpoints are not being met.  In addition we should update our agreements to ensure caps are established and clear boundaries on who is controlling what aspects of the financial operations.
> 
> Sarah, you also outlined several action items in your email. I'd like to get those on the schedule so we can work to address each of those points to strengthen our ability to work with other organizations for future conferences.
> 
> 
> 
> Michael Coates
> OWASP
> 
> 
> 
> On Dec 9, 2011, at 9:50 AM, Sarah Baso wrote:
> 
>> Michael -
>> 
>> I think there are 3 different "issues" being discussed in this thread. 
>> 
>> 1. How can OWASP to limit its liability and ensure financial transparency when organizations other then the OWASP Foundation (US) and OWASP, Inc. (Europe) are handling event or chapter money?
>> 
>> As explained in Lucas's email (which I agree with): Event contract we entered into with SecZone defines the relationship between the parties as well as responsibilities.  That being said, there are a couple big "responsibilities" that SecZone had that they did not follow through on: providing monthly statements on the financials of the conference AND seeking authorization from the foundation before taking any actions that
>> may incur any expenses to the event.
>> 
>> "In short, I think the problem is not in defining rules. If the process had been followed, we would have better information and early warnings
>> about the problems, making it easier to manage. The problem we have is that we have been unable to enforce the process with conference
>> organizers. My feeling is that we need to rely less on trust and really require the organizers to follow the process define in the contract."
>> 
>> So action points for the committee:
>> Ensure that a detailed and comprehensive contract is signed by all 3rd parties handling event finances (anytime it is someone other than the OWASP Foundation in US and OWASP Inc in Europe) should include certain terms decided by the Board.
>> Better define and vet budgets and impose additional auditing requirements as event planning is in process. This includes:
>>            --> Require initial budgets as described for approvals
>>            --> Require events to report actual expenditures/revised budgets monthly
>>            --> Have all expenditures not within the original budget for that line item be approved by the GCC liaison (and updated on subsequent
>>                 projections). I would recommend that expenditures over a certain dollar amount require a "second signer" who is aware        
>>                 of current OWASP financial situation (committee chair, board member, Kate, etc.) 
>> 
>> 
>> Action points for the Board/Foundation
>> 
>> Adopt a template contract (or contract terms) to be used any time a 3rd party --someone other than the OWASP Foundation (US) and OWASP Inc. (Europe)-- is handling OWASP Funds. It should require the exact things we asked for in the agreement with SecZone:  providing monthly statements on the financials of the conference AND seeking authorization from the foundation before taking any actions that may incur any expenses to the event or chapter (that will be covered by the Foundation)
>> 
>> This contract can set a maximum out of pocket liability (set dollar amount) if the terms are not adhered to.  While I certainly don't want      anyone to be held personally liable for running a conference that results in a loss, when the Foundation is authorizing another entity to make expenditures (and decisions) on its behalf, we need to be pro-active in limiting our liability. They can either involve us in their decisions (by providing budget updates and getting authorization before spending), or take on complete responsibility for the financial liability.
>> 
>> One thing no one has mentioned (although it undoubtedly is a consideration): OWASP has a responsibility to show its supporters that their donations (via members, sponsorship or other) are being used properly - in support of the OWASP mission. Anytime we (OWASP) is giving up control of how its funds are used, we also are supposing a level of trust that the funds will be spent appropriately. I think this trust is good to a certain extent, but people in China (or other areas of the world) may not have the same understanding of this Fiducuary Duty that we do, and they will not be held accountable as we will here in the US.  Thus, the only financially responsible decision is for us to limit the amount of money we will will "reimburse" or "cover" when the expenses haven't been provided or pre-approved.
>> 
>> I am happy to work on putting a draft contract together based on the 3rd party contracts we have used in the past.
>>           
>> 2. What is relationship between SecZone and OWASP - both OWASP China and the OWASP Foundation? 
>> I am going to follow up on this in a separate thread. It is important, but slightly tangential to the purpose of this thread. 
>> 
>> 3. Event Specific: How do we handle this loss?
>> In this case, the OWASP Foundation should realize a $5,500 loss for this event (which is what the event organizers are asking for).  They are currently at a $16,166.22 loss, but Frank Fan's company (DBAppSecurity) still owes $4742 and SecZone has said they can cover about $6,000 of the loss. The leaves about $5,500 for us to cover. 
>> 
>> Seczone did not adhere to its financial responsibilities as outlined in our event contract with them. However, since they acted in good faith and we could have done a better job setting forth the repercussions for not adhering to the contract, I think it is fair for us to pay about $5500 or splitting the loss with Seczone.  This is a good chance for us to learn from our mistakes and understand what we can do differently to prevent this (or larger losses) from happening in the future.
>> 
>> 
>> 
>> Regards,
>> 
>> Sarah Baso
>> 
>> 
>> 
>> -- 
>> 
>> Administrator for
>> OWASP Global Conference Committee
>> OWASP Global Chapter Committee 
>> 
>> Dir: 312-869-2779
>> skype: sarah.baso
>> 
>> 
>> 
>> 
>> 
>> On Wed, Dec 7, 2011 at 3:44 PM, Michael Coates <michael.coates at owasp.org> wrote:
>> From the brief details I've gleaned here it sounds like everyone has been working for the common good. But we have some losses and need to appropriately handle them.  There are several moving parts.  Kate, Sarah, can one of you gather and summarize the pertinent information from these threads (clarify what's missing or needed)?
>> 
>> The board does need to make some decisions in this specific case and also a need to clarify larger issues for future growth / expansion.
>> 
>> 
>> 
>> Michael Coates
>> OWASP
>> 
>> 
>> 
>> On Dec 7, 2011, at 1:05 PM, Tin Zaw wrote:
>> 
>> > As Mark pointed out, it is an issue with China. It is an issue because
>> > they have different culture and it is in a country where bureaucracy
>> > and red tapes are everywhere. But I can assure you that they -- people
>> > behind this event -- really want to promote OWASP in China. You can
>> > question their motives but their efforts and commitment are obvious.
>> >
>> > We have a choice to be flexible and make it easier for them to promote
>> > our mission, or we can stick to our rules and protect OWASP. I am sure
>> > the board will give us direction.
>> >
>> > On Wed, Dec 7, 2011 at 12:53 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
>> >> Tin,
>> >>
>> >> This is how I also understand our relationship with one caveat.  I
>> >> don't believe that there is a formal agreement between SecZone and
>> >> OWASP for them to act as our representative.  Had this agreement been
>> >> in place, we could have clearly defined how profit/loss would be
>> >> shared for the event, as well as a bunch of other requirements that we
>> >> impose on legal entities representing OWASP elsewhere in the world.
>> >> This however is a larger question beyond this event, and is one the
>> >> board has taken for action.
>> >>
>> >> There are a few points here:
>> >> 1. In this case, it seems to that the OWASP foundation should realize
>> >> a $5,500 loss for this event (The fact that this was not spelled out
>> >> before hand is troubling)
>> >> 2. We need to clarify and formalize our relationship with SecZone as
>> >> it relates to OWASP in China (Board Action)
>> >> 3. We need to better define and vett budgets and impose additional
>> >> auditing requirements as event planning is in process
>> >> 4. We need to be more dilligent in determining the exact composition
>> >> of the on-site planning team earlier in the process to identify
>> >> potential issues earlier in rather than ex-post facto.
>> >>
>> >> On Wed, Dec 7, 2011 at 3:38 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
>> >>> I am not sure if Mark's comments or understanding is in sync with what
>> >>> conference organizers -- Rip, Ivy, Frank -- had told me.
>> >>>
>> >>> To me, it was 100% OWASP conference. OWASP, not SecZone or others, was
>> >>> the name used, as you can see in the photos here.
>> >>> https://plus.google.com/photos/106576365897061578673/albums/5678655625299333025
>> >>>
>> >>> SecZone is listed as one of the supporters, just like Frank's company
>> >>> and other supporters.
>> >>>
>> >>> OWASP does not have a legal entity in China and you need a legal
>> >>> entity in China to do a conference like that. So SecZone (a registered
>> >>> non-profit in China, that I was told) was used as a legal entity to
>> >>> organize things for OWASP, on OWASP's behalf.
>> >>>
>> >>> On the bigger scope, OWASP China is "housed" inside SecZone. My
>> >>> understanding is that this is not dissimilar to NASA JPL housed inside
>> >>> Caltech.  SecZone/Caltech provides administrative support while the
>> >>> housed organization carries out OWASP's/NASA's mission. The main
>> >>> reason for this is that an organization in China needs to be a
>> >>> registered legal entity with the government. (Let's not forget that
>> >>> "Communist Party" still rules China). They also informed us that OWASP
>> >>> is not the only organization housed inside SecZone. There are others
>> >>> but OWASP is the major org supported by SecZone.
>> >>>
>> >>> I think it is correct to consider SecZone's and OWASP's budgets (for
>> >>> conference and the chapter) separate. But we should understand the
>> >>> nuances we face when we advance our mission in different cultural
>> >>> contexts.
>> >>>
>> >>> On Wed, Dec 7, 2011 at 11:46 AM, Mark Bristow <mark.bristow at owasp.org> wrote:
>> >>>> So before we get to far down this road.  AppSecASIAPAC was an anomoly.
>> >>>>  GCC (at least I) was not aware that there was another organization
>> >>>> involved until VERY late in the game (weeks before the event).
>> >>>> Technically it should have been classified as a partner event, where a
>> >>>> contract between our two organizations would have been signed (by the
>> >>>> board) up front, clearly identifiying these issues.
>> >>>>
>> >>>> In this case, this was presented as a 100% OWASP event when it reality
>> >>>> it was not.  That's the root of the problem here and unlike LATAM the
>> >>>> other organization is more "partner" than "contractor".
>> >>>>
>> >>>> On Wed, Dec 7, 2011 at 1:50 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
>> >>>>> I agree with capping the loss. I also think we should have some more strict
>> >>>>> budget requirements for global appsec conferences, especially when we have
>> >>>>> 3rd parties handling the money.  If Alison is the one making payments and
>> >>>>> accepting money, we can check in with her at any point to find out the
>> >>>>> status of an event; however, we don't have this visibility/transparency
>> >>>>> right now with the 3rd parties.
>> >>>>>
>> >>>>> I think before we go forward with signing contracts for 2012 events
>> >>>>> (especially in Latin America and AsiaPac where they have not run the money
>> >>>>> through the Foundation), we should discuss and decide on  a policy for this.
>> >>>>>
>> >>>>> Sarah
>> >>>>>
>> >>>>>
>> >>>>> On Wed, Dec 7, 2011 at 12:45 PM, Eoin <eoin.keary at owasp.org> wrote:
>> >>>>>>
>> >>>>>> Matt ,
>> >>>>>> As treasurer what are your thoughts on limiting liability for losses at
>> >>>>>> global conferences. My view is If we don't do this we are leaving the
>> >>>>>> foundation exposed. Such a cap should be in a contract signed by the
>> >>>>>> conference organisers?? It can be a % or a figure, but right now are we in a
>> >>>>>> position if unlimited liability??
>> >>>>>> Anyone, thoughts??
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
>> >>>>>>
>> >>>>>> Alison -
>> >>>>>> Can you find look to see (or maybe you know off the top of your head) if
>> >>>>>> we sent any down payment or money (other than the approx. $3222 sent
>> >>>>>> recently to cover hotel costs) to China for this conference.  It probably
>> >>>>>> would have been in late July or August of this year?
>> >>>>>>
>> >>>>>> They are currently at a $16,166.22 loss, but Frank Fan's company
>> >>>>>> (DBAppSecurity) still owes $4742 and SecZone has said they can cover about
>> >>>>>> $6,000 of the loss. The leaves about $5,500 for us to possibly cover.  I
>> >>>>>> want to make sure we have a full financial picture of what we have paid
>> >>>>>> before anything is decided though.
>> >>>>>>
>> >>>>>> Thanks,
>> >>>>>> Sarah
>> >>>>>>
>> >>>>>> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <mark.bristow at owasp.org>
>> >>>>>> wrote:
>> >>>>>>>
>> >>>>>>> I believe some of the loss will be realized by each party
>> >>>>>>>
>> >>>>>>> -Mark
>> >>>>>>>
>> >>>>>>> Sent from my wireless device
>> >>>>>>>
>> >>>>>>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann" <kate.hartmann at owasp.org>
>> >>>>>>> wrote:
>> >>>>>>>
>> >>>>>>> I know there is a documented loss for AppSec Asia for 2011.  Is the
>> >>>>>>> foundation expected to reimburse SecZone for this loss?  What was the
>> >>>>>>> agreement for the financials for this event.  I know that much of this has
>> >>>>>>> come from Rip’s personal account.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> We need to clear this up before the end of the year.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> Kate Hartmann
>> >>>>>>>
>> >>>>>>> Operations Director
>> >>>>>>>
>> >>>>>>> 301-275-9403
>> >>>>>>>
>> >>>>>>> www.owasp.org
>> >>>>>>>
>> >>>>>>> Skype:  Kate.hartmann1
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
>> >>>>>>>
>> >>>>>>> _______________________________________________
>> >>>>>>> Global_conference_committee mailing list
>> >>>>>>> Global_conference_committee at lists.owasp.org
>> >>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> _______________________________________________
>> >>>>>>> Global_conference_committee mailing list
>> >>>>>>> Global_conference_committee at lists.owasp.org
>> >>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --
>> >>>>>> Administrator for
>> >>>>>> OWASP Global Conference Committee
>> >>>>>> OWASP Global Chapter Committee
>> >>>>>>
>> >>>>>> Dir: 312-869-2779
>> >>>>>> skype: sarah.baso
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> Owasp-board mailing list
>> >>>>>> Owasp-board at lists.owasp.org
>> >>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Administrator for
>> >>>>> OWASP Global Conference Committee
>> >>>>> OWASP Global Chapter Committee
>> >>>>>
>> >>>>> Dir: 312-869-2779
>> >>>>> skype: sarah.baso
>> >>>>>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> Owasp-board mailing list
>> >>>>> Owasp-board at lists.owasp.org
>> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Mark Bristow
>> >>>> (703) 596-5175
>> >>>> mark.bristow at owasp.org
>> >>>>
>> >>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>> >>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>> >>>> AppSec DC Organizer - https://www.appsecdc.org
>> >>>> _______________________________________________
>> >>>> Owasp-board mailing list
>> >>>> Owasp-board at lists.owasp.org
>> >>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Tin Zaw, CISSP, CSSLP
>> >>> Chapter Leader and President, OWASP Los Angeles Chapter
>> >>> Chair, OWASP Global Chapter Committee
>> >>> Google Voice: (213) 973-9295
>> >>> LinkedIn: http://www.linkedin.com/in/tinzaw
>> >>
>> >>
>> >>
>> >> --
>> >> Mark Bristow
>> >> (703) 596-5175
>> >> mark.bristow at owasp.org
>> >>
>> >> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>> >> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>> >> AppSec DC Organizer - https://www.appsecdc.org
>> >
>> >
>> >
>> > --
>> > Tin Zaw, CISSP, CSSLP
>> > Chapter Leader and President, OWASP Los Angeles Chapter
>> > Chair, OWASP Global Chapter Committee
>> > Google Voice: (213) 973-9295
>> > LinkedIn: http://www.linkedin.com/in/tinzaw
>> > _______________________________________________
>> > Owasp-board mailing list
>> > Owasp-board at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>> 
>> 
>> 
>> 
>> <AppSec.China.agreement (1).pdf>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111221/e8994d1d/attachment-0001.html>


More information about the Owasp-board mailing list